Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 May 2012 14:22:32 -0400 (EDT)
From: "Brad Tilley" <>
Subject: Re: Can Excessive Rounds make Password cracking 

> On 05/24/2012 08:06 PM, Brad Tilley wrote:
>> This is slightly off-topic as it does not specifically relate to John
>> use,
>> but I wanted to ask the opinions of others here. When do rounds make
>> password cracking infeasible, or do they? For example, the hash below is
>> a
>> SHA-512 hash with 391939 rounds applied. You can actually feel the delay
>> at logon (about 2 seconds on newer machines):
>> test:$6$rounds=391939$UqhsyLSZ$F/K1CGpBf9yefYXCRbY5uK/LW1HzW8EiPCzdq8PMVvZ4JLhb4F464ps87MX/YwYEI0s62KIsnZBuCt45a.A4I0:1002:1002::/home/test:/bin/sh
>> The source code of sha512-crypt.c sets this as the maximum number of
>> rounds so Linux sys admins could configure this number even higher:
>>    /* Maximum number of rounds.  */
>>    #define ROUNDS_MAX 999999999
>> So long as the passwords are sufficiently complex and users can't select
>> simple words such as 'password' for their password, I would think that
>> these hashes are close to un-crackable (certainly not in a reasonable
>> time
>> period anyway). What do other John users think?
> The problem is, even a delay of 2 seconds during login might be
> unacceptable.
> If you don't have a single-user system, but a server that is used by
> thousands of users who all login at nearly the same time, the possible
> delay will be much longer, and the server will hardly be usable for
> other activities during those times.
> Frank

Yes, thanks Frank. I understand that and have no disputes or questions
about that. My question is about the feasibility of cracking such hashes.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.